BitLocker encrypts the whole drive, so that you cannot even boot up the computer if you forget the password/recovery key of the BitLocker.

FileVault on the other hand, only encrypts the home directory. So you can boot up, but no one can gain access to the files inside the home directory if they do not have the login.

So – are you secured once you use BitLocker or FileVault for your respective OS?

The answer is – you are now protected from “offline” attack.

What Is Offline Attack

An offline attack is where the computer has been shutdown, and the hacker has stolen your laptop. Because the computer is turned off, the hacker will have to deal with recovering the key without being able to fully bootup/login, which can make the task more difficult for the hacker (not impossible, though).

What About Online Attack

Once you are booted up or logged in, though, these systems no longer offer the same level of protections, because now your drive is now affectively unlocked. If you have a trojan running on your computer with your account access, it will be able to see the encrypted files.

So – while BitLocker and FileVault are both easily accessible as they come with the OS, they are limited in terms of what they can protect. It’s decent for when you lose your computer for example.

Choose for Offline Attack Protection If

You travel with your computer a lot

You are more than likely to leave your computer unattended while outside

You have tendency to lose things

Offline Attack Protection is less of a concern if

Your computer is stationary (at home or at office; office a greater risk)

You always have your laptop with you when you are outside (but this is not a fail-safe approach as robbery occurs)

One reason I don’t just give you a list is as stated that this is a blog that focuses on concepts – tools gets outdated all the time; concepts are much more readily workable and applicable. So we’ll start with the concepts.

With that said – what the state of the art is… there isn’t one single tool for encryption. Each encryption tool is used for different purpose, and because you’ll incur the cost of learning the tool – you’ll need to decide whether or not it’s worth the cost to you.

For example – there are tools that are designed specifically for securing passwords, even in the manner that we have described so far.

But such a tool isn’t a good for for storing sensitive documents; especially if you need the storage to work well with the rest of the operating system (i.e. you can search for the existence of the file through Windows Explorer/Finder, etc). So you’ll need a different tool for storing sensitive documents.

Now – if you go ahead and type up a document with your passwords inside, and put into the file-based encryption storage, you do not need your password management system (and hence less learning curve). But you might find it more cumbersome to use the file-based encryption storage, because it’s not specifically optimized to deal with password usage.

Only you can determine whether or not the additional learning curve is worth it.

It depends on your requirement.

For example – so far in this blog we’ve defined the reason why you need a password encryption tool. Although we have yet to define the reason why you need a file-based encryption system, you probably have sensitive documents besides your passwords that you wish to have protected. If you do, and you have the time/energy to invest in learning both, than you should learn both.

If you only have time to learn one, then you’ll need to decide on the following:

If you need to use it for both purposes, then a file-base system can be used for both; but more cumbersome to use for passwords

A password management system can be used for mostly just the passwords (depends on the system you choose); so you choose this option if your password management need outweighs your file needs by large margin – i.e. you won’t bother with general file encryptions for now

Here’s a little diagram showing the decision flow

The decision tree of the encryption tool investment process.

I’ll leave it to you to decide how much time you’ll invest in learning the tools. I’ll however, continue to discuss a few of different types of encryption tools and what they protect against in future posts.

We might have gone over the “shift” rules too quickly – let’s take a closer look to ensure we understand them.

A shift rule means changing one character into another character.

So – if we say “change the letter ‘i’ into the letter ‘*’“, that’s a shift rule.

Why do we call this a “shift” rule? It’s because it’s often easiest to be accomplished by “shifting” your finger on the keyboard.

So if you shift your finger up to the number/symbol row from the letter i, you’ll find 8/* as the key. With you pressing the “shift” key, you’ll be typing *.

From the letter i

Shift i into *

That’s all there to a shift rule.

If you have enough shift rules in place, you can make your phrase completely unrecognizable. And if you choose your shift rules carefully so that different characters will not be shifted to the same character (i.e, if i shifts to *, then no other characters can be shifted to *), then you have just designed your own encryption method!

If you are mathematically inclined you’ll probably find the exercise of designing your own encryption method quite interesting, for everyone else, knowing the concept of how encryption works is good enough. The above type of encryption is a simple encryption mechanism called Ceasar cipher. You should not rely on this method for true encryption needs, but for the purpose of creating a memorable yet difficult password, it’s good enough.

As this is a primer blog, we won’t delve too deep into encryption except for dealing with how to use encryption tools, which will come in future posts.

Obviously – there can be a phrase dictionary too, so it’s best if you do not choose common phrases such as “to be or not to be”; if you do, your account might not “be” for too long.

An example of a good phrase is something that only you would know. For example, you might have been asked to write about Shakespeare. So you look up your past homework assignment and found the following gem:

Ophelia thinks Hamlet is running the asylum

So you use that as the base of your password. Note how long it is! Phrases are the easiest way to create large passwords.

Of course, if you use the above directly, it doesn’t increase the set of possible characters (it’s just 26 letters) – so we can do some “shifting” of the characters to increase the size.

For example, we can “shift” all the letter ‘t’ to letter ‘%’. So the above now becomes

Ophelia %hinks Hamle% is running %he asylum

We can also “shift” the letter “n” to letter ‘^’, which gives us the following

Ophelia %hi^ks Hamle% is ru^^i^g %he asylum

We can change the letter ‘l’ to the number ’1′, which gives us the following

Ophe1ia %hi^ks Ham1e% is ru^^i^g %he asy1um

So on. You can apply as many shift rules as you deem necessary. With this all you need to do is to remember the phrase along with the shift rules you have applied. And after you have typed it a few times, the transformation rules will become part of your muscle memory, by which all you do is remember the phrase.

If you run into character limitations imposed by the system (say no ‘%’ character), just make sure you do not have a particular shift rule (i.e. no shift from ‘i’ to ‘%’).

If you run into size limitations imposed by the system, the easiest approach is to compress the phrase; say we’ll take the first two characters of each word to form the base.

So from the original phrase

Ophelia thinks Hamlet isrunning the asylum

Taking the first two characters of each word now becomes

OpthHaisruthas

And you can still apply shift rules, say change ‘t’ to ‘%’

Op%hHaisru%has

And So on.

Whether you compress the phrase or not, starting from a phrase and apply shift rules is the easiest way to create a strong password that’s memorable. You can have a consistent set of shift rules for multiple passwords; you just need to have different phrases for each!

Now go choose memorable phrases and transformation rules that are unique to you.

So, for most passwords (see next post for exceptions), you can choose fully random password, but you’ll need to account for its maximum length (so not to exceed it), as well as potential character limitations.

Google for random password generator, and you’ll find ones that works for your particular situation. You do not have to worry about the tool knowing your password… it doesn’t know where it is being used, so you are safe.

Of course – make sure it’s written down in your encryption system with the site info, so you’ll be able to recover it later.

We’ll talk about another way of generating great passwords in the next post.

If your password is a common password, or a word exist in dictionary, your password is not secure. This is because it’s extremely easy for hackers to simply run through the list of the words to see which one that matches. Computers can do this pretty much without blinking.

Previously we look at the different types of password rules in the wild today. Many of them are conflicting, and not all of them are good.

Knowledge is power - knowing how to spot bad password rules can alert you to the system being potentially poorly implemented, and potentially the people there don’t have much security knowledge. Depending on the sensitivity of what you need to do with them, this knowledge might just avert you from doing business with them so you won’t have security breach down the road to worry about.

Even when you must do business with them, you can still send them this article to tell them to fix and improve their system. Most of the people out there have good intentions in mind (i.e. not trying to steal your password) if they want to do business with you; they just might not have all the knowledge needed to do it properly. You being a customer can help nudge them in the right direction.

There are actually no technical reasons why the above characters cannot be used, or any characters (you ought to be able to use Chinese characters if you know how to type them). The only situation a limitation make sense is if you will use the password to login from a tool that cannot type these characters (such as an interactive voice response system), but more often than not, a phone-based system is often accessed with a different password (called pin in this case) instead. So even in that case it doesn’t really apply. And many sites having this limitation do not have phone-based logins.

Another extremely common negative statement is limitation on maximum password size. Some are more reasonable than others, but some are extremely short. To understand why, we’ll need to understand a bit more about how passwords work.

The total key space is 1,000 for this combination lock.

If we look at the combination lock above, it has 3 digits. Each digit has 10 numbers, so the total combination (called key space) of this lock is 10 x 10 x 10 = 1,000. I.e. if someone tries to unlock this lock, he has 1 in 1000 chance to get it in the first try.

To increase the key space (i.e. reduce the chance of someone actually finding the key), we can either increase the numbers of the digit, or we can increase the numbers per digit.

The key space is 10,000 for this lock.

For example, the lock above has 4 digits, so its key space is 10 x 10 x 10 x 10 = 10,000. With one additional digit we now have decreased the odds by 10 fold.

The key space for this lock is 64,000.

The padlock above only has 3 digits but with each digit having 40 numbers, so the total key space is 40 x 40 x 40 = 64,000.

Passwords work exactly the same way; limiting the maximum length limits the total number of digits. Limiting special characters limits the numbers per digit. Overall, either rules works to reduce the total key space for the password, which reduces the strength of the password system itself.

It takes much more effort to crack lock with 10,000 key space versus a lock with 1,000 key space.

About the only good negative statement in password rule is minimum length limit, as this rule ensures a minimum about of key space being used.

So the next time you find a site with arbitrary character or length limits, send the administrator with this article!

If you have more than a few accounts, you’ll run into a variety or rules:

Requiring a number

Requiring an upper case letter

Requiring a symbol

Cannot use special characters such as &, %, etc.

Maximum 8 characters

Minimum 8 characters

etc.

A set of commonly seen password rules.

And problem is – the rules implemented by different accounts are conflicting, so you will have a hard time to find a single password that works for all accounts (and you’ll come across new rules as you add new accounts which can invalidate your previous passwords).

So – besides the fact that having different passwords for different accounts reduces your risk shall you ever lose a password, you will have a hard time coming up with a single password in the first place anyways.

But there is one more problem if you want to use a single password – not all of your accounts are implemented securely.

You might think that there is some sort of password system that companies can buy and install, just like we can go out to buy cars and computers and put them together.

There are some systems like that. For example – this site runs on WordPress, and it uses the password systems that comes with WordPress. Anyone else running a WordPress website will have the same password system (unless they change it).

However, more often than not, many of the companies write their own from scratch. But not all of them do a good job.

To be fair – WordPress’s own password system isn’t a Farrari. It’s serviceable because WordPress is mostly used for blogs, so if it’s compromised the impact is limited. Systems like banks will need something much better than what’s available, so it’s often a custom job. But not all systems are implemented with best practices.

For example, some of them will store your passwords without any encryption (hashing to be specific, but we won’t get into the details here), so any administrator will have access to the actual password if they peek into the database (which they have the access to). If any of them become disgruntled for any reason (we all know times when we hated the company we work for, right?)… we the customers are now hostage of the situation.

Even if all admins are happy as dolphins, if any hackers broke into the system, the passwords would be unprotected!

Problem is – you don’t know how your different systems are implemented! So you don’t know if they have done a good job or not.

So – don’t assume that your systems are implemented securely. They could very well be, but assume the least here will be a better approach than the other way around.

In the past, you probably have heard of the opposite advice from professionals – that writing passwords down is bad. But you know that if you don’t write passwords down, you’ll forget them. Notice the link “forget password” on most websites? It’s a pretty popular feature.

So the title says that writing your passwords down is… good. Let’s all rejoice.

Okay – don’t get too excited – notice the … between the word is and good. And notice sort of. Writing your passwords down on post-it notes still isn’t all that good.

See the nuances above? If you do something, then something else would occur, otherwise something else would occur. This is the hallmark of concept learning rather than rote learning. The more you understand the reasons behind a decision, the more soundly you can make a decision and feel more secure about the outcome. We’ll focus on concepts here.

So – if you have to write it down on a piece of paper, make sure you put that piece of paper away, say in your wallet or something (which is something that you would have to protect anyways… we’ll talk about physical security in future posts).

But better than writing it down on a piece of paper, write it down with an encryption software.

The reason this is a better approach is that the proper encryption tool will scramble the data you write down so it cannot be reversed without proper password to the encryption tool, and with the right tool the amount of data you can write down will be much greater than a piece of paper you carry in your wallet.

So if you choose to write down all your passwords into an encrypted file – you’ll in effect achieve the following

The password to your encrypted file is now your MASTER PASSWORD – you just need to remember this password to gain access to the rest of the passwords

You can now use different and complex passwords for all of your accounts – you no longer have to remember them – you just need to look it up when you need to access the account

You can still use the paper method above to write down the master password physically and put it into your wallet, of course.

The above method is obviously more cumbersome comparing to a single password approach, but as we said, the risk is now much lowered, which, when considering what the potential risks are, should be a no brainer for you to decide for this approach. Furthermore, with an appropriate encryption system, you will naturally have other confidential data that you would find it coming handy.

But alas, there are no free lunch in the world, so we also have to pay attention to additional issues.

You should keep the encrypted file locked most of the time instead of having it open in the background to strive for maximum safety – someone might look over your shoulder sometimes, and you might not remember it being there when it happens

You will also have to deal with backup of the files – as you are unlikely to remember the data inside, once they are gone they are gone. But you’ve been backing up your computer, haven’t you?

Anyone with your house key can enter into your house easily (there are other ways of course – but this is the least fuss). Similar to the physical keys, anyone has your password can use your accounts, be it your bank account, laptop computer, etc.

Especially if they all share the same key.

If we have multiple doors in a house, we might have the same key for the different doors. But if we have multiple houses (say that you own a few rental properties), you’ll be smart not to have the same key for the different houses. After all, as good as you are with your tenants, you probably don’t want them to have access to your house.

And your car key is a different key from your house key as well. Thieves who stole your car key won’t be able to use the car key to enter into your house.

Yet, most of the time, people reuse only a couple of passwords for the different accounts they have. The same person, however, will have different key for different houses/cars.

Is it because people are “smarter” and more secure about the physical world? Unfortunately, it’s not due to us being more street smart in the physical world; this outcome is really a happy accident, because different physical locks come with different keys automatically, so we don’t really have a choice.

And when we do, we often opt for convenience.

For example – anyone who runs a large apartment knows the pain of having to deal with a huge set of keys. Even if you never manage a large apartment, you might have applied to live in one, and have seen the landlord carrying a large sets of keys, and fumble through them to find the right one when you went to see the unit.

If the landlord has enough money, she can buy a master key system that can then obviate her need to carry all the keys, and carry a single master key instead.

Yes – many keys is a pain to manage, whether physical or virtual. And whenever possible, people opt for convenience instead of full security.

This is the reason why many of us only have a single password for all the different websites we have.

But same as the master key, once compromised, all of the unit can now be unlocked. If a hacker obtain your single password, he can now get into all of your accounts, potentially take all your money in your bank.

You don’t want to place all the eggs into a single basket.

Say NO to single password! If there is one thing you should take away from this blog – this is it.

Of course – as stated above many passwords is a pain to manage. But comparing to having a single password stolen, it’s a much more preferable alternative. We’ll explore how to manage passwords appropriately in future posts.